Reverse Proxy

A reverse proxy sits in front of CoolerControl and handles tasks like TLS termination, custom domain routing, and centralized access management. This is often simpler than configuring TLS directly in CoolerControl, especially if you already run a web server or proxy for other services.

Why Use a Reverse Proxy

• TLS termination with real certificates — Let the proxy handle Let's Encrypt or other CA certificates automatically, without configuring them in CoolerControl.
• Custom domain — Access CoolerControl at https://coolercontrol.mydomain.com instead of an IP and port.
• Centralized access — Manage TLS, authentication, and routing for multiple services in one place.
• SSE compatibility — CoolerControl uses Server-Sent Events for real-time updates; the proxy examples below include the necessary settings to support this.

CoolerControl Settings for Reverse Proxy

When running behind a reverse proxy, you may need to adjust these settings in /etc/coolercontrol/config.toml:

Protocol Header

If your proxy terminates TLS and connects to CoolerControl over HTTP, set the protocol_header so the daemon trusts the proxy's forwarded protocol and skips the HTTPS redirect:

[settings]
protocol_header = "X-Forwarded-Proto"

Your proxy must send the X-Forwarded-Proto: https header for this to work.

Custom Origins (CORS)

By default, CoolerControl only allows requests from localhost origins. If you access it through a custom domain, add that domain to the allowed origins list:

[settings]
origins = ["https://coolercontrol.mydomain.com"]

TIP

A typical reverse proxy setup uses all these settings together:

[settings]
protocol_header = "X-Forwarded-Proto"
origins = ["https://coolercontrol.mydomain.com"]

nginx

A full nginx configuration with TLS termination and SSE support:

server {
    listen 80;
    server_name coolercontrol.mydomain.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    server_name coolercontrol.mydomain.com;

    ssl_certificate /etc/letsencrypt/live/coolercontrol.mydomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/coolercontrol.mydomain.com/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:11987;

        # Standard proxy headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # SSE support — keep connections open and disable buffering
        proxy_read_timeout 86400;
        proxy_buffering off;
        proxy_cache off;

        # WebSocket support (if needed)
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

WARNING

The proxy_read_timeout 86400 (24 hours) and proxy_buffering off settings are important for SSE (Server-Sent Events) to work correctly. Without these, nginx may buffer or time out the long-lived SSE connections that CoolerControl uses for real-time updates.

Caddy

Caddy is a modern web server with automatic HTTPS built in. It automatically obtains and renews Let's Encrypt certificates — no manual certificate management needed.

Caddyfile

coolercontrol.mydomain.com {
    reverse_proxy 127.0.0.1:11987
}

That's it. Caddy handles TLS certificates, HTTP-to-HTTPS redirects, and proper header forwarding automatically.

With explicit options

coolercontrol.mydomain.com {
    reverse_proxy 127.0.0.1:11987 {
        # Pass original headers
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-Proto {scheme}

        # Flush immediately for SSE support
        flush_interval -1
    }
}

Traefik

Traefik is a cloud-native reverse proxy often used in Docker and container environments.

File-Based Configuration

Add to your Traefik dynamic configuration file:

# dynamic-config.yaml
http:
  routers:
    coolercontrol:
      rule: "Host(`coolercontrol.mydomain.com`)"
      service: coolercontrol
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt

  services:
    coolercontrol:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:11987"

Docker Labels

If running Traefik with Docker:

# docker-compose.yaml
labels:
  - "traefik.enable=true"
  - "traefik.http.routers.coolercontrol.rule=Host(`coolercontrol.mydomain.com`)"
  - "traefik.http.routers.coolercontrol.entrypoints=websecure"
  - "traefik.http.routers.coolercontrol.tls.certresolver=letsencrypt"
  - "traefik.http.services.coolercontrol.loadbalancer.server.port=11987"

See Also

• SSL/TLS - Direct TLS configuration in CoolerControl
• Security Overview - Full security model reference
• Remote Access - Configure remote access to CoolerControl
• TCP Port and Address - Configure the daemon's network settings